Re: (ITS#7347) Exclusive bit masks for: ACL_WADD, ACL_WDEL, and ACL_WRITE - openldap-bugs

8 Aug 2012


      Applying the patch accessible here: 
ftp://ftp.openldap.org/incoming/Daniel-Pluta-120808.patch together with 
the acl set below obsoletes ITS#6900.
In combination they enable the mode of operation we described in section 
VI, subsection G. of the previously linked paper.
to dn.base="ou=groups,o=test" attrs=children  by users write  by * none
to dn.one="ou=groups,o=test" attrs=owner  by dnattr=owner write continue 
  by dnattr=owner self-z  by * none break
to dn.one="ou=groups,o=test"  attrs=entry,@groupOfNames  by dnattr=owner 
write  by * none
The patch enables support to independently substract the privileges 'z' 
or 'a' from 'w', while 'a' or 'z' remain in the resulting bit mask. The 
other way around, adding 'a' or 'z' privs is also supported.
Nevertheless, in the sense of the subject of this ITS the patch 
represents only a workaround. A clean solution (separating the 'a', 'z' 
and 'w' bitmasks) is of course preferable.
LDIF test cases using ldapmodify command:
ldapmodify -x -D "cn=000001,ou=persons,o=test" ...
#create group entry (should fail)
dn: cn=its7347-fail,ou=groups,o=test
changetype: add
cn: its7347
objectClass: top
objectClass: groupOfNames
member: cn=000001,ou=persons,o=test
owner: cn=000002,ou=persons,o=test
#create group entry (should succeed)
dn: cn=its7347-success,ou=groups,o=test
changetype: add
cn: its7347
objectClass: top
objectClass: groupOfNames
member: cn=000001,ou=persons,o=test
owner: cn=000001,ou=persons,o=test
#add another owner (should succeed)
dn: cn=its7347-success,ou=groups,o=test
changetype: modify
add: owner
owner: cn=000002,ou=persons,o=test
#delete the other owner (should succeed)
dn: cn=its7347-success,ou=groups,o=test
changetype: modify
delete: owner
owner: cn=000002,ou=persons,o=test
#delete the entry (should succeed)
dn: cn=its7347-success,ou=groups,o=test
changetype: delete
#restore the group (should succeed)
dn: cn=its7347-success,ou=groups,o=test
changetype: add
cn: its7347
objectClass: top
objectClass: groupOfNames
member: cn=000001,ou=persons,o=test
owner: cn=000001,ou=persons,o=test
owner: cn=000002,ou=persons,o=test
#delete the entry (should succeed)
dn: cn=its7347-success,ou=groups,o=test
changetype: delete
#again restore the entry (should succeed)
dn: cn=its7347-success,ou=groups,o=test
changetype: add
cn: its7347
objectClass: top
objectClass: groupOfNames
member: cn=000001,ou=persons,o=test
owner: cn=000001,ou=persons,o=test
owner: cn=000002,ou=persons,o=test
#try to delete the owner (should fail)
dn: cn=its7347-success,ou=groups,o=test
changetype: modify
delete: owner
owner: cn=000001,ou=persons,o=test
#delete the entry (should succeed)
dn: cn=its7347-success,ou=groups,o=test
changetype: delete